mirror of
https://github.com/semver/semver.git
synced 2026-07-10 19:50:47 -05:00
[GH-ISSUE #803] Support for more granular releases than <patch> level
#6519
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @RichiH on GitHub (Feb 16, 2022).
Original GitHub issue: https://github.com/semver/semver/issues/803
https://github.com/grafana/grafana/ and other Grafana projects structure security releases as follows:
x.y.z+1(+1used in the "integer plus one" sense here) release -- which contains security-relevant changes onlyx.y.z+1to the public one week laterNormal development runs in parallel, but other releases are blocked until
x.y.z+1is public.x.y.z+2often comes out at the same time asx.y.z+1. The intention behind this system is to allow users to immediately install security updates with the minimal internal Q&A.The problem is that blocking normal releases slows down everything else.
Possible approaches:
x.y.z+security01(+security01used in the "build info" sense here). This allows for clear signalling to users and has enough room for potential follow-up updates. The problem is that build info MUST NOT be used for determining version precedence. As such, this is a human-readable indicator, but not useful for wider automation.x.y.z+1for a week, releasingx.y.z+2before it. This signals the existence of an upcoming security release.I see two possible changes to SemVer which would enable this and similar use cases:
+or_similar to how Debian versioning works semantically, i.e.The more generic and widely usable system seems to be option 1.
NB: "subpatch" is the least bad name I could come up with just now. It's not particularly good.
NB: Both of those suggestions would be breaking changes for SemVer, requiring a new major version.
If there's any interest in this, I would be more than happy to work on a RFC/PR.
@ljharb commented on GitHub (Feb 18, 2022):
How are security fixes different from any other bug fixes?
@mkungla commented on GitHub (Feb 18, 2022):
I fully agree here with @ljharb,
THEY ARE NOT. security fixes are clearly
<patch>. I understand that intention is to skip some of the internal Q&A and to push security patches out quicker than regular patches which may rather introduce security vulnerability. However I feel this proposed approach as it is presented here is bad by the design as similar like some while ago some proposal for "version forking".I find that if to use some Quality Assurance exceptions for security patches then these still SHOULD live in
<build>meta, but minimal MUST be always incremented .e.g. project specific version interpretation to simplify QA
do work around blocking
1.0.2in this example could be using principals of LTSwhen you have
<minor>which has one or more<patch>with<build> == securitythen release new<minor>as quickly as possible so that if you want to provide security patches to1.0.xthen you can easily do so keep as many1.0.x+securitypatches as you wish.@RichiH perhaps you can elaborate why such model would not satisfy and you think that moving project specific
<build>info into general purpose additional<subpatch>is good idea?Specially since security patches can be it self sometimes require
<minor>or even<major>update.@RichiH commented on GitHub (Feb 18, 2022):
@kunkel246 this looks like spam. Could you delete it, please?
@ljharb in the general case: They allow non-intended behavior to be triggered by third parties with some level of reliability. In this specific case, we want to be able to release normal patch releases without leaking the existence of a currently-private release, nor to block development workflow. If done right, their fix releases contain nothing but security-relevant changes.
@mkungla as per specification, build information MUST NOT be used to determine version precedence. As such, it is impossible to use it for any resilient upgrade processes.
Cases in which
<minor>or even<major>need to be bumped are possible, but out of scope for the use cases described above.In generalized form,
<subpatch>(or similar) would have the intuitively correct semantic meaning: A way to improve upon a<patch>version.@ljharb commented on GitHub (Feb 18, 2022):
@RichiH bugs are all unintended behavior, whether it’s something that gets a security engineer excited or not. That’s the definition of bug.
@RichiH commented on GitHub (Feb 18, 2022):
@ljharb Again, they allow non-intended behavior to be triggered by third parties with some level of reliability. I do not wish to replay the discussions around this topic from LKML and elsewhere, though. There are two distinct and incompatible schools of thought around this topic.
While security releases are my initial motivation, the generic solution proposed is not limited to security releases.
@mkungla commented on GitHub (Feb 18, 2022):
@RichiH thats the whole point
build information MUST NOT be used to determine version precedencethat's why in example I gave you it is possible to follow current specification.regardless is it security patch or not, it still SHOULD increment at least the patch number.
You can use
<build>e.g.1.1.1+securityin scope of your project to decide yourQArules and NOT to determine version precedence. This totally valid use of semver since usingSo this is invalid:
And following is totally fine if you have users with constraint
>= 1.1.0 <= 1.2.0, they will receive your security patch1.1.2+securityand are not forced to upgrade to1.2.0. NOTE that+securitybuild info in this case you are just specifying release policy what you promise your project to follow. Your user may or may not opt in to loosen QA in cases where<patch>+securityis released semantically next version they have approved.To add additional scope what you ask to spec is impossible since we are generally still speaking about
<patch>and there is no way now or in the future to universally determine where is the line between<patch>and your<patch>.<subpatch>@ljharb commented on GitHub (Feb 18, 2022):
In semver, there’s only one school of thought - a change that’s not breaking and isn’t adding new behavior is patch. Whether something is arbitrarily decided to be a security issue or not (and it is very much not objective) is irrelevant in semver.
@RichiH commented on GitHub (Feb 18, 2022):
@mkungla In this usage,
<build>is a no-op. The actual functionality is coming through<patch>only, which was my point. Signalling what the intention of a build is is largely irrelevant for this use case. Determining that it's a higher version is the desired behavior.@ljharb This is a correct description of current behavior, agreed. I would prefer to stop this cyclic discussion while still awaiting wider feedback.
If yours is an authoritative statement from the SemVer project as a whole, please let me know so I can close the issue.
@jwdonahue commented on GitHub (May 3, 2022):
I think I linked a bunch of the "expand the version triple to..." class of threads. It's a perennial discussion that never goes anywhere. There have been at least a half dozen PR's issued in the past that languished years before finally being closed by an ambitious maintainer. I can tell you from experience that anything that adds or removes numeric fields from version core is not going to happen.
Any such changes would require a major version bump of the spec and the maintainers are all about stability. There's also the problem of disambiguating between 2.0.0 and any 3.0.0 syntax such that correct semantics can be applied. Fact is there's a lot of tools out there that have 4 integer version fields already and none of them need the SemVer stamp of approval to be useful.
@jwdonahue commented on GitHub (May 3, 2022):
See also: #391, #340, #321
I am sure there's many more, but I don't have time find them all.
@RichiH commented on GitHub (May 3, 2022):
Thanks @jwdonahue. I agree that it seems unlikely to happen at this point, but I also still strongly believe that it's an actual problem that needs to be solved across the industry. Being able to rely on a common standard would be a good thing. On the plus side, any parser which is not deliberately limited will automagically Do The What I Mean with
<major> "." <minor> "." <patch> "." <subpatch>.Grafana will move to
<major> "." <minor> "." <patch> "." <subpatch>and it seems likely that Prometheus will need to do the same for Long Term Support versions; CC @roidelapluie on the latter.@roidelapluie commented on GitHub (May 3, 2022):
It will not be needed for Prometheus LTS. The minor releases will be supported, not the bugfix releases.
@cratoshup commented on GitHub (Sep 26, 2023):
Ufifiitiriuw jfufiff
@ispyu85 commented on GitHub (Apr 7, 2025):
Can anyone help me figure this out?
/storage/emulated/0/Download/ai-hub-models-0.26.1(1) (1)/ai-hub-models-0.26.1/scripts/util/github.sh